This project is submitted for

Description

In a world where digital privacy doesn't exist anymore, where journalists couldn't securely do their work, where companies are spyed upon by various entities, and where Human Rights are cynically disregarded, there is an urgent need for an easy-to-use tool to restore digital privacy.

This autonomous device uses the available connectivity to build a secure access-point and bypasses internet filters to connect to a remote network, use a secured internet or even browse anonymously.
Connect your laptop/smartphone to the device's secured wifi access-point, no additional setup is needed. Enjoy a secured internet anywhere, anytime.

It could connect the internet via a public wifi access-point, 3G internet via phone usb/wifi tethering, corporate cable network, or even your own router/ADSL box.

It is very easy to use with its touch control interface and its fully automatized functions.

It could run autonomously during several hours on its internal battery.

Details

Basically, this device acts as a wifi / ethernet router and access point. It could connect to the internet using some random wifi, a wired network, or a tethered android phone (wifi or usb). On the secured side, it acts as a wireless access point with internet forwarding so it works with every kind of device : PC, laptop, smartphone, using Windows, GNU/Linux, Android or even Mac-OSX.

The wireless access-point is also hardened with a random key feature. The access-point security key could be modified on-demand and at boot-time with a random one.

From the touch screen interface, TOR or an OpenVPN tunnel could be enabled. This custom interface could be used for complete operation, full setup and device monitoring.

It only needs a wifi adapter and no setup on the endpoint device (computer, smartphone…) to work. The user interface is also very easy to use with on/off buttons, so it is very easy to operate by non tech people.

In sensitive situations, the complete software and operating system could be installed in a few minutes from a preconfigured and encrypted image. The SD-card could also be removed from the device or even destroyed in a few seconds, causing no harm to the device, but makes it completely empty and useless. This way, sensitive data such as SSH private keys are secure.

The device hardware is open source, and uses only free software. This way, it could be improved by the community when it needs to, and it also helps defend digital freedom and Human Rights.

It also makes a perfect device to fight planned obscolescence : the software is built to be cross-compatible with different boards, offering different features, to adapt to various situations and evolve over time.

The device could be built at home using some easily sourceable parts and laser cut enclosure in a ready-to-build kit (see below), but could also be easily customized and manufactured for specific needs.

Project Logs

After a lot of time thinking about this sad story, I decided to release the project to public domain. I won't sell it and I won't make any real money with it, so in my opinion, this is the best option : with a strong license, it should prevent any fishy corporation / administration to exploit it, still allowing users to do whatever they want with it.

So I'm left with 2 questions for the Hackaday readers :

- what would be the best license to use ? I want the device to be free (as in freedom), but I don't want nasty corporations to use it for bad purposes, locking it to the public or make insane money with it (it would not be fair in my opinion)

- is asking for a donation a bad idea ? Would you give one ? I think getting some money back would be fair, as I lost so much designing a useful tool I'm now willing to give for free.

Do you have a better idea ?

I still want to write about the story surrounding this project : we often read about successful stories, failures not so much...

I really had to write an update to this project, but it's a difficult task.

This project has been a major part of my life for almost 2 years. From the 2014 semi finals to a swiss company scam in May of 2016, I encountered almost everything possible and lost a lot :

I've been threatened by a major company

I dodged 5 scams (from venture capitalists to big well known industries)

I lost a lot of money

Finally I lost my wife and my home

So, despite I still believe this device is a very important one, I now prefer devoting my time and skills to other projects. I've lost too much because of it.

The device is running well, but the code is not secure enough to give it to the public, so I won't release it in the actual state. The device is too critical to be used lightly, or by someone who is not aware about its actual limits. I don't want this kind of responsibility anymore.

However, I learned a lot, from designing to dealing with lawyers. And it was a great experimentation.

You are free to email me if you want to discuss about it.

Thank you hackaday, and many thanks to the hackaday readers who supported this project.

Device temperature monitoring. An icon appears if the device runs hot (never happens anymore but we never know) and shuts down on overtemp

Battery power gauge

Finally, I finished porting the software to the BananaPi board, but I have an issue with the touchpanel driver. More details on this page. I own the official (and very nice) BPi 3.5" display but it is not touch enabled (yet), so I may have to find another display to complete the porting.

To the many people who are asking if I have something to do with "Anonabox" cancelled kickstarter campaign :

NO, I have nothing to do with them. They took advantage of this project when starting their campaign a few hours before the contest judging, and used my phrasing, but that's all. The tech savvy people could even check anonabox.com registrar to see the mentionned website was registered long after my project was registered to the contest.

Edit : Hackaday just posted an article about this here. Thanks for your support, Hackaday !

I'm also very interested in starting a KickStarter campaign or anything else that could make this device reach market (KickStarter is not available officially from France). I'm open to every proposition, so please drop me a line !

I just added a small Paypal Donate button on the project homepage... Do whatever you want with it :p

Along minor changes, there is now the possibility to manually or automatically generate a random security key. This key is being used by the wireless access point software (hostapd).

A new menu entry allows to use this feature and see the actual key. I have yet to add other access-point related options but it's now easy. WPA2-PSK setting being hardcoded is not necessarily a bad thing for the moment :p

Another hardcoded variable is key lenght. It is meant to be user-definable between 40-256 bits (for scalable security vs usability), but I didn't add it to the menus yet.

The random key generation is also possible on boot, but it's still (also) a hardcoded config variable.

Of course, hostapd and the related interface are automatically restarted when needed to apply the new config.

HackadayPrize semifinals ore now over. Congratulations to the 5 finalists ! You really deserve it !

Now, move on, there's still a lot of work with this device...

With the hype created by the (very questionnable) "Anonabox", it is very important I clarify a few things :

Tor is not meant to encrypt traffic, "Anonabox" is very wrong about this. Tor is meant to hide your IP address, nothing more : each end of the Onion circuit could see your traffic. Encrypting traffic is OpenVPN job.

Tor is not meant to be used all the time : for an example, using it to stream videos, like said on "Anonabox", will cause harm to the Onion network. This is the reason UnJailPi is not fully automatic, and you are still able to activate/deactivate Tor and OpenVPN : you use them when you need them.

This device won't protect your privacy if your end-point device (tablet, computer) is compromised already. You will also have to change some of your browsing habits : disable Javascript in your browser, carefully use credentials, and some more. Quoting Kali Linux meme : "With great power, comes great responsability"

For the moment, UnJailPi is built on top of a cut-down Raspbian Operating System. It was the best way (IMO) to start with a clean base : Raspbian repos are used widely so there shouldn't be anything really suspiciousn and software updates still remain easy. However I'm actually looking for a more specialised operating system : Moebius, OpenWRT, PORTAL are options.

UnjailPi prototypes use Raspberry Pi / Banana Pi boards. Raspberry Pi is a well known board, we can be 100% sure it doesn't have any hardware backdoors. About Banana Pi, I'm sure LeMaker people will be more than happy to have some of their boards handle an audit.

I never said anywhere I'm a security specialist. My code is easy enough to prove there are no flaws in it, and if there are, I'd be more than happy to correct them.

UnJailPi is still at the HackadayPrize semifinals status : it is still in a prototype stage and final revision is not there yet. The device is looking for some funding, some feedback, and could benefit of some technical help. If you are willing to support this project, feel free to contact me...

I'm also being asked the differences with Adafruit OnionPi. Here are some of them :

OnionPi is fully automatic, Tor is enabled on startup. This was a good start base, but Tor needs to run only when we need it.

Finally, it's there : we can now black-or-white list TOR relays based on location, from the main interface.It's a little difficult to explain, so here is the demonstration video (I apologize for the video quality, filming this tiny screen is not so easy) :

Basically, it allows to force or block relays, based on their location (246 countries....). It was a really important feature from start, but some work had to be done to allow this possibility.

One could notice the menu is not so nice yet, and this feature still needs a "complete reset" and a easy to read list of white-or-black listed node locations : it may be a little difficult to know the current settings. But hey, it's not a big deal, the hard part is done already.

Now, I want to be able to determine the exact circuit TOR is using, maybe show it on a map. I already have a few ideas about how to do it, even some code snipplets ready, but it is another story.

Now, I could easily watch Doctor Who's new season live episodes on BBC from France... :-)

We are now a few hours to the next vote, so I think I won't work on the documentation anymore until then. The project will make the cut to the next contest stage, or will not, it's now too late to change this fate.

So, I think it is a great time to thank the people who contributed to this project, either with providing some hardware, or with giving some time, or both. This project could not have gone so far without these people :

PiModules donated the main prototype's powering circuit and laser cut enclosure. On the other hand Ioannis is always present when I encounter problems.

LeMaker team worked so hard to improve their software and allow the BPi prototye to work in time. They are also of great help with many things along the way.

Many people offered their help in one way or another : the swiss people that invited me for a device's show, the hackaday readers who gave some very contructive critizism about the project, the friends and relatives who donated time, advices and critizisms, and of course my best half who supports me day after day.

Of course, I wish to thank HackaDay team for bringing me the chance to get some attention about this device. Before this contest, I wasn't that sure my device concept could be interesting to people. Now, I don't have any doubts about it.

This contest is only the beginning about this device. Many more improvements are planned, and I'm already working hard towards a future marketing scheme. Partners and customers are identified already, it is just a matter of time (and money) right now.

I was not sure I could make it work before the next vote, but finally it is there and I could show it.

This prototype shares the first prototype's display and enclosure, it is so nice to make experiments without breaking anything... Software is cross compatible with the "official" device. Other than that, this is a completly different beast.

This prototype is not meant to remplace the actual device which runs very well, but to live side by side with it. Each one offers its own unique hardware features (the Raspberry Pi advantages being the most advanced device, easily buildable, and offers a large support community).

Hardware :

The main board is the Banana Pi from Lemaker people. This is a Allwinner A20 SOC featuring a 1GHz dual-core Cortex A7 CPU, with 1GB DDR3 memory, Gigabit ethernet, a SATA port, and battery charging circuitry. The user defined led and onboard on/off button are also very appealing. It shares the Raspberry Pi GPIO scheme and runs a Raspbian-compatible operating system.

So it made perfect sense to port the Web Security Device to this board first.

The most difficult part was about the display, it finally worked only today. This prototype still misses its internal battery, but I already made some progress about it and Lemaker people do a great job helping me along the way with their hardware.

Software :

Like I've done with the actual device, it runs a stripped-down version of Raspbian-like OS, cleaned up of every component non-essential to the device. Less software components means better security. I also updated the main software to be 100% cross-compatible with RPi and BPi (except the powering management part for the moment). Next move may be moving both boards to some barebone distro.

It still needs a lot of work, but this new prototype runs very well already, and is pretty fast...

You said that companies we're showing interest in the hardware. Is there any guarantee that the project will remain open for others to build at home and that it would resist any and all attempts to circumvent the private of the hardware? I hate to ask this, but there have been companies who have caved to the government and other groups either for money or to save themselves from closing the company/legal trouble. I know it may seem blaringly apparent that you care about the public privacy rights and etcetera. I just wanted to hear it in black and white whether it was more than any kind of financial gain.

This seems like something that could take off like a rocket once it gets started. Eventually, groups may begin to look at it for other reasons than what they are now.

I hope that you understand why I'm asking these things. Thanks for your time, in reading, and creating this amazing project

Wow. I wish I would have seen this sooner. Very impressive. This is actually exactly what I intended to do but time and resources are in short supply and high demand. You've done significantly better than I could have imagined my own may have turned out. Belated congratulations on becoming a semifinalist! Had I seen this at the time, it would have had my vote.

Overall I am very impressed with this build. Very good attention to detail and very well thought out. A++ for the device itself..

BUT... I do have to comment on one point. This is not the first of these types of devices that I have seen. Devices that act as a gateway to Tor.

Connecting a computer that you have already accessed the internet directly with through Tor will not provide you any privacy protections what so ever. Your computer's unique id's have already been recorded and all you're going to do is update your ip logs with tor exit nodes. There are so many services that get installed that all "call home" to either check for updates, validate license keys/DRM etc.. And each of these has the ability to identify you and do. Not to mention all the "non-torbrowser" exploits and javascript tracking.

As I have said, i've seen several devices that allows people to easily do this and I have not yet seen any of them offer the above said warning.

You're perfectly right about background services. This is why I'm adding the "security profiles" feature. It should open the firewall only for a few allowed services and blocks everything else.

On top of that, there's also the domain filter, where one could add IPs/domains to block.

And if it's still not enough, there exist some tools I could use, like MITM proxy.

About browser / javascript exploits, I'm adding some very explicit warning messages to the interface, where it shows how to use the device safely (install no-script, use private browsing, etc). These exploits are very concerning to me, but I still didn't find a better way...

The vast majority of similar devices I know don't go this far : they usually only provide a Tor gateway and nothing else (firewall rules if you are lucky). This is the reason why I'm not rushing for a release, and prefer working on good implementation...

Hi,
I plan to add some filtering capabilities. Actually I'm using a small proxy filter script based on dnsmasq that is running well and is very customizable.
I think the new BPi based prototype has the processing power for this, maybe even a transparent realtime malware scanner.
My biggest problem actually is about browser cookies and this kind of things.

Hey, thanks for working on this! I've got a couple comments/feature requests:

It would be really great if people can easily share their UnJailPi connection with others over WIFI - would it ever be possible for a nearby client to detect an UnJailPi and connect to it with WIFI? The benefit here is a) the connectivity (3G/Broadband) is paid for by someone completely other than eg. the journalist/activist, b) if a journalist can connect via WIFI, their location will be less visible than if they connected something (their phone or UnJailPi) via 3G.

In terms of reducing the risk for the person sharing their connection to anonymous users, it could be required for guests to connect via a Tor bridge provided by the UnJailPi - traffic leaving the UnJailPi could not be traced back as an OpenVPN connection could.

The Tor bandwidth issue could be resolved with traffic shaping on the box, so each client is limited to X Mb of usage per minute. This wouldn't allow videos, but could allow abuse prevention for 100% Tor access.

It's best not to rely on VPN these days for anything more than encrypting traffic from your immediate ISP - the VPN provider will still have the plaintext, and the traffic from the VPN provider to end service will be unencrypted. Additionally advanced actors are collecting the VPN keys, either with insiders or exploiting the VPN comanies (there are only so many VPN companies). In short, HTTPS/TLS is the only real solution there.

Perhaps allowing owners to block HTTP (port 80) connections would give some protection against mistakes there (similar to the HTTP Nowhere plugin).

It should be possible to keep most of the software quite general, potentially allowing installation on phones to use their 3G, or on OpenWRT capable routers, so I hope the development doesn't make raspi too much of a requirement...

Hi,
Your first idea about sharing UnjailPi connections over wifi is nice, however
I'm not sure to understand well the part about a Tor bridge. Do you mean, we
always have a Tor circuit active for anonymous users, inside a reserved wifi
"tunnel" ? How would it react if both devices enable Tor ? However it's a great
idea.

About the VPN part, I never designed the device to connect to third-parties VPN
providers. It is meant to be used with your own server (I'd like it to be a
second unjailpi), you could leave at home or at a secure place and connect to it
when necessary (fast-food wifi etc...).

Your HTTP nowhere is a brilliant idea. From start I want to force http traffic
to https (like https everywhere) but couldn't find a good solutions. Blocking
HTTP could be a first real solutions, but would need some sort of captive portal
for denied connections.

Do you have some expertise about all this ? Perhaps we could talk...

For the moment, the software could run on about every linux computer. Running on
routers could be more tricky, I don't see how it could be usable without some
display.

Connecting to a personal VPN server would lose the anonymity properties of commercial VPNs, since then only one person would be using it (though generally VPN shouldn't be considered anonymous anyway).

Terminating the VPN at the home would still leave traffic onwards in the clear, as though browsing in the clear in your living room.

IMO surprisingly few people would set up a home VPN server themselves due to the effort.

Sharing a connection would probably be a bad idea for the current VPN and Tor modes, since a malicious user could join and purposely emit location/IP data in the traffic, which would be associated with other users' traffic and greatly reduce their anonymity.

Sharing a connection would definitely be a bad idea for VPN mode if the other end was at the person's home, as that would allow allow random people access to the home's internal network.

In general, wrapping the pipe in Tor or VPN is hazardous and requires quite a lot of discipline and technical knowledge to use correctly, because if anything on the end user device is transmitting deanonymised traffic, the rest of the traffic can have its identity compromised by being associated with it. If a user can run the Tor Browser Bundle on their computer instead they would likely be safer because that traffic would be isolated from the rest of the computer's connections.

My suggestion was that instead of wrapping the entire outbound pipe in VPN or Tor, a Tor bridge could be available with the WiFi LAN at eg. 192.168.1.2:9999 and any immediate WAN traffic blocked, so the Tor bridge must be used to reach the internet. With my current understanding I think that's secure and would keep different users' traffic separated. This is completely different from the current VPN and Tor settings, so would be a 3rd option.

Blocking outbound port 80 traffic changes the anonymity profile of it slightly so it might be reduced from "is a Tor user" to "is an UnJailPi user". Personally I don't think that's a show-stopper, but something to be aware of.

Comments to points from another post I saw:

PHP concerns seem legitimate IMO. It'd probably be safest for all admin functionality to be touch screen only and not available on the LAN.

Decades of experience working with people's communications in clear text might not make Telco companies the best communications security advisors ;)

Kaspersky labs' founder has recently been quoted arguing for "Internet Passports", whatever they are, so may not be the best advisors for anonymous technology devices.

However, it's great that you're working to do something about the clearly unsatisfactory communications security situation, especially for regular non-technical people, and I raise all these points so you can be aware of them as you go.